Error=password_rejected, reason='Could not modify attribute for DN

description:
when I modifed ​password,
error message:
WARN [org.keycloak.events] (default task-44) type=UPDATE_PASSWORD_ERROR, realmId=master, clientId=security-admin-console, userId=ce4b5650-90b3-4946-be86-67ee4b17bfc9, ipAddress=XX.XX.XX.XX, error=password_rejected, reason=‘Could not modify attribute for DN [CN=XXX,OU=XXX,OU=People,OU=Users,OU=XXX,DC=XXX,DC=com]’, auth_method=openid-connect, custom_required_action=UPDATE_PASSWORD, response_type=code

Hi @RalapZ

I have the same problem. Did you solve this in the meantime?

My Keycloak has a working LDAPS connection to my DC but still I can’t change passwords:

Could not modify attribute for DN [CN=TEST TESTER,OU=Benutzer,DC=domain,DC=local]

Finally found my fault.

The Bind DN user used for changing passwords didn’t have enough rights for changing the passwords… :roll_eyes:

Hey can you provide more details as what permission this the Bind DN user needed?

Hi @jsalameh

please have a look here: https://petri.com/delegate-permission-reset-ad-user-account-passwords

This is for Active Directory, but any other LDAP should be similar.

You have to grant special rights to the user.

Hi @klepptor
I’m trying to reset my password with keycloak’s edit mode set to writable and receiving an error that says “Could not modify attribute for DN,” so I tried the method you provided, but it didn’t work for me.
Please make a suggestion for a workaround.

@shabaz

Did you check the permissions of the ad user used for changing the passwords? It works, if you use the instrutions from https://petri.com/delegate-permission-reset-ad-user-account-passwords

Hi, @klepptor
Thanks for your quick response !!!

I followed the directions, but it didn’t work in my case. Please validate, I am attaching a screenshot of permission to change passwords.

Hi @shabaz
did you use the assistant to grant the permissions as stated in linked website?
On my system there are some more permissions enabled for the user, e.g. “Read all properties”.

And I used an extra service user, not the normal Admin account.

Hi @klepptor,
Greetings!!!

Yes, I followed the steps in the link to grant the permission; the only thing that was missing was enabling the permission “Read all properties” for the user, which I enabled, but it still didn’t work.

In my case, I used a standard admin account, as it’s a bind user for my keycloak server.

Hi @klepptor,

Please suggest a solution to the above error if at all possible.

Hi @shabaz

I don’t really have a solution for you!

Try with a different user (as you’re currently trying with an admin user) and give him rights as suggested on the linked website.

If that still doesn’t work I don’t have any other advice…

Sorry

Hi! Grant this permissions under the users OU for Keycloak’s service account which is applies to Descendant User Objects:

  • Reset Password
  • Write public information
  • Write Logon Name (pre-Windows 2000)
  • Write pwdLastSet
  • Write userAccountControl

It is recommended grant access to the security group which is contains service account.